Effective risk management is a key factor in organisational success. As well as reducing the likelihood of the business having to firefight unforeseen and potentially catastrophic events, risk management can underpin effective use of resources, reduce waste and fraud and smooth the path to innovation and improved service delivery.
Forward thinking businesses have adopted the latest best practice of treating risks as positive opportunities as well as negative threats. This concept of risk management is fast gaining acceptance and organisations are at last beginning to embed risk management across all departments so that it becomes part of their culture, rather than being siloed in departments such as compliance or IT security. As an organisation matures in its risk management approach it can expect every member of staff to play a part in identifying risks to operations or projects and in assessing the implications.
Embed a holistic view
In many organisations, this holistic view of risk management will be replacing a rather piecemeal legacy approach. Traditionally, risk management has not been high on the agenda, but this is changing. With the aim of creating a pervasive culture of risk management, HR departments can work with the business to define the policies, procedures and frameworks that will help direct the organisation’s risk management strategy.
These may be adapted to suit different work streams – from implementing new systems to creating new products and services. However, they must be embedded into the organisation so that staff know that when they are doing something new they must consider risk implications before making decisions. Policies and procedures should direct staff to ask themselves what could go wrong with their proposed action and what could support it. What changes might occur in future that could have either a positive or negative impact?
The ISO 31000 standard provides a useful framework for organisations seeking to formalise an organisation-wide approach to risk management. ISO 31000:2009: Risk Management – Principles and Guidelines summarises the actions organisations need to take to manage risk effectively and respond to opportunities and threats in an appropriate way. The more detailed Management of Risk (M_o_R®)2 Practitioner Guidance can be used to help organisations ensure their risk management approach meets the requirements of ISO 31000. M_o_R provides a practical approach to embedding a risk management culture: while the ISO 31000 standard outlines what needs to be done, M_o_R sets out how to do it.
While M_o_R links to other AXELOS Best Practice, it has a wider remit than the disciplines of programme and project management. The M_o_R guidance provides HR management with a useful tool to get a better understanding of the role of operational managers, programme managers, project managers, asset managers, and the many other professionals who must maintain the key controls that help manage risks to the organisation.
M_o_R identifies four levels in an organisation, starting at the top with the high level, strategic perspective. The second tier is where strategic company-wide programmes are driven and managed. Programmes comprise projects, the next grouping, while the operational perspective is at the lowest level. At each tier, everyone in the organisation needs to help identify and manage the threats and opportunities that will either harm, or support objectives.
Support the risk champion
It is essential to get executive level buy-in to embedding a risk management approach. A multi-disciplinary senior team, including the HR director, should take responsibility for documenting and assuring adherence to the risk management policy. It should also define the organisation’s risk appetite and undertake regular reviews of the risk management strategy. A single senior champion should be the face of this team. This person does not need to be a risk specialist – in fact it would send out a stronger message about the wider applicability of risk management if the board champion were not a specialist. The HR director will be well-placed to support this high level risk management champion in taking ownership of documenting the risk process and driving a risk management culture.
HR needs to work with the business to assess the organisation’s risk appetite, as this will underpin all future risk management processes. Innovative tech companies may have a higher appetite for risk than a traditional finance house, for example. The concept of a measurable risk tolerance should then be applied to every new programme, project and operational activity and once the risk tolerances have been set, any risks identified that exceed agreed tolerance thresholds must be escalated to the next level of authority, so that the right people are managing the right risks at the right time.
Some organisations may benefit from a catalyst to effect culture change in the form of external consultants or trainers. While external experts can help HR draft a risk process, risk considerations have to cascade to every level. HR has a part to play in commissioning effective training to convey the value of risk management to all staff. A failure to formalise the transition to a risk management culture can result in risk management just becoming an ancillary, informal function rather than a documented process embedded into daily activities. It is vital that the end result of any training is that responsibility for the execution of sound risk management activities and the operation of key control points falls on the wider employee base as part of their day-to-day activities.
HR has an important part to play in introducing best practice in embedding a risk management outlook into workflow. Here are five recommendations for actions HR management can take:
- Know the difference between a risk register and a proper risk strategy. A risk register is suitable for individual programmes and projects and operations and is used to identify risks, their probability and impact and plans to address them. A risk strategy is a strategic document that includes for example the definition of risk appetite, tolerance processes techniques and responsibilities – and may be used to demonstrate to the authorities that the organisation is following Best Practice.
- Audit the business’ current approach to risk management department by department and horizontally, across the business. This will create not just a vital starting point but also serve as a reference in future. As the organisation evolves its approach to risk management it might be useful to emulate the Home Office, which is working to a maturity model so that it may continuously improve its management of risk.
- Support staff in the transition to a risk management culture with training, tailored not just to your organisation but also to the different levels of staff within it. Start at the top with education and awareness for senior staff and create an expectation that they will cascade the awareness to their staff. Computer-based training will work for some job roles while other people will respond better to a traditional classroom-based format. Training that is closely aligned to the organisation’s activities and objectives will be most effective in helping people learn not only how to change their behaviour to take a risk management approach, but also why they should do so.
- Document a clear escalation process for risk. A threat or opportunity at any level could have an effect on everything else. As well as embedding a risk culture, there needs to be board level control of risk supported by a multidisciplinary risk management team.
- Keep it going. Embedding risk management is not a one-off project and HR managers should plan to keep risk high on the agenda by embedding it into the induction and appraisal processes of their organisations – and promoting the benefits of the approach through employee communications such as newsletters.A Best Practice approach to risk management demands an organisation-wide approach. If HR is not involved in risk management the organisation is doing it wrong. HR has a major part to play in embedding a risk management culture – and driving understanding and acceptance of risk management processes that will ultimately underpin enhanced performance and profits.